Pacman 4 has landed in core! Thanks to 24 contributors producing 893 commits, you'll find many new features. The one explicitly worth calling out is gpg signing. However, until the last few details regarding database signing and keyring distribution are ironed out, this is disabled in pacman's default config. If you're interested trying out package verification, please refer to the documentation on the wiki about pacman-key or Allan's blog post.

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

After running the script to add the GPG signature for the Master Keys, I have not had one issue with installing or updating applications. I imagine that I will run across a AUR package here and there that may require adding the key but it should work for the most part:

QUOTE

When the master keys are added, you do not need to validate every Arch Linux Developer's and Trusted User's PGP key as those are signed by at least three of these master keys.

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

I've read much over the last year in regards to Arch Linux and package signing. Like Eric said, there was certainly a lot of whining because of it. I see both sides of the argument. I have been running Arch Linux exclusively now for I guess about 7 months and package signing (or lack there of) has never resulted in any issue that I am aware of.

Though I do see the benifit of it, at this point especially with the warning mentioned many times in the wiki:

CODE

Warning: Use with caution. Please check that the keys listed below match the master-keys. It is also possible that someone will hack the master-keys page and insert malicious PGP key(s), making the whole signing process useless.

I think I will continue doing things the way I have been doing them until I get bit on the backside. I am a hard headed individual and it normally takes something like getting bit for me to change my ways.

I'm leaning toward your thoughts, Ian. I didn't have any issues with Pacman as it was. Maybe I'll just leave it alone for a bit and see that all the bugs are worked out of the newer method after a few weeks/months or so. I've never been the adventurous sort.

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

This might be the right thing to do, but it will be useful only when the packages are all signed.I have been holding off doing this for a week or more. My update is 129 packages and only about half are signed with keys which reference the Master Keys.

What a pain in the butt.

I added the SigLevel = Never line to my .conf. I can wait a while.

Tweak it 'til it breaks, then learn how to fix it.

L.I.F.E. (Linux Is For Everyone)

Registered Linux User # 474004 (06/16/2008)

REGLUE

Recycled Electronics and Gnu/Linux Used for Education

Reglue, in a nutshell, gives free Linux computers to under privileged children and their families.

This might be the right thing to do, but it will be useful only when the packages are all signed.I have been holding off doing this for a week or more. My update is 129 packages and only about half are signed with keys which reference the Master Keys.

What a pain in the butt.

I added the SigLevel = Never line to my .conf. I can wait a while.

I am also not having issues either and I applied the key checking and the Master/Trusted scripts.. The master should of added the Trusts ones ad well but it may be worth trying.

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

Looks like all of the packages in the Core/Community/Extra repos have been signed now:

QUOTE

Some time in the last couple of days, the last of the packages in the Community repository were signed and, thanks to the tremendous work of the Arch developers and Trusted Users, you can fully implement package signing in your /etc/pacman.conf.

You can check the state of the signed packages with this expac one-liner; it will return a list of any unsigned packages:

expac -S '%r %n %g'|awk '$3=="(null)" {print $1 "/" $2}'Now that the packages are all signed, I updated my /etc/pacman.conf to take advantage of this. My overall SigLevel setting requires signed packages, and—as of yesterday—I was able to move the last repository entry over to do the same.

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984